Category: Données Personnelles

After more than four years of negotiation, the new regulation on personal data (the “Regulation”) has finally been adopted on May 24, 2016[1]. However, it shall take effect only as of May 24, 2018. Data controllers and processors will have until this date to comply with the Regulation, including for those processing of data already implemented up until this date.

The purpose of the Regulation is to adapt the rules on personal data to the digital world and to harmonize said rules within the European Union (EU) member states. This text will replace the existing regulation.

Its scope is broad: it will apply when (i) personal data collected relate to a citizen residing in the EU, whether or not the data controller is established in such territory; (ii) the data controller or its processor resides in the EU, i.e. the Regulation would apply to a non-European citizen whose data would be collected or processed by a EU company. The place of establishment of the data controller, used until the new Regulation comes into effect to define the law applicable to data processing, has been significantly expanded. The aim is particularly to enable a regulation of data processing carried out over the Internet when one of the persons involved in the processing (the data controller/processor or the person whose data are processed) is located outside the European Economic Area.

The following essential points of the Regulation should be noted:

  • It establishes a high level of protection and control of citizens over their personal data, particularly by creating a right to data portability and enshrining a “right to be forgotten”;
  • It fundamentally modifies the liability regime. For instance, data controllers are no longer subject to the declaration obligation (however, the authorization scheme is maintained for certain cases) and will have to demonstrate that they have complied with the provisions of the Regulation; legal obligations will now apply to data processors;
  • Administrative penalties have been strengthened in the event of non-compliance with these rules: such penalties could range up to 4% of the annual worldwide turnover of the company and up to 10 or 20 million euros in other cases.

More particularly, among the obligations placed on companies processing personal data, the latter shall now:

  • Implement appropriate technical and organizational measures and be able to demonstrate such compliance with the Regulation at any time (the “accountability principle”). In this respect, data controllers should for instance guarantee the confidentiality of the data processing or ensure that, by default, only those data strictly necessary with regard each purposes be processed (the “minimization principle”);
  • If a company has more than 250 employees (subject to certain exceptions), maintain a record of processing activities comparable to an inventory of processing operations;
  • Appoint a data protection officer if the company belongs to the public sector, if its core activities consist of processing operations which require systematic monitoring of data on a large scale or if its core activities consist of processing (still on a large scale basis) “sensitive” data or data relating to criminal convictions;
  • Notify security flaws to the authorities (and the persons concerned if such breach is likely to result in a high risk to the rights and freedoms of a person) within a 72 hours delay after having become aware of it.

Given that the Regulation will apply to processing of data already implemented in May 2018, companies have an incentive to make the necessary changes as soon as possible in order to abide by these new rules which imply reshaping a new organization, particularly for data processors bound by legal obligations for the first time.


[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC


In a decision dated January 26, 2016, the French Data Protection Authority (CNIL) declared that the processing of personal data operated by Facebook Inc. and Facebook Ireland does not comply with French law and ordered said companies to take measures to comply accordingly. The CNIL clearly provided in its decision that each violation of French law would give rise to a formal notice as well as separate and cumulative penalties.

While this decision outlines the practices of the Facebook companies regarding data processing carried out (found to be illegal by the CNIL), the real change lies in the fact that the CNIL has, for the first time, declared itself competent to analyze and punish the processing of personal data operated by the Californian giant in accordance with French law, which the CNIL considered applicable to the facts at stake.

Until now, the CNIL had only sent simple letters to the Facebook companies. Indeed, the French Data Protection Authority took the view that to the extent that French law was not applicable, it could not impose any penalties if Facebook failed to respond or implement new measures. This situation has now changed.

By recognizing that French law applies to Facebook Inc. and Facebook Ireland, the CNIL endorses the recent <em>Google Spain</em> (C-131/12) and <em>Weltimmo</em> (C-230/14) decisions of the Court of Justice of the European Union which significantly expanded the definition of “establishment” which determines the application of the rules and regulations of a Member State to data processing operated by a data controller located outside the European Economic Area (in accordance with articles 4 of Directive 95/46/EC and 5 of the French Data Protection Act n°78-17 dated January 6, 1978).

Accordingly, when a non-EU data controller has an “establishment” located in a EU Member State – please note that an “establishment” does not necessarily comprise a registered company but any stable installation which, without directly processing data, intervenes within the scope of the data controller activities (by ensuring promotion and sale of advertising spaces for instance) – the national law of said state would apply.

The CNIL demonstrates, by applying the extension of the “establishment” standard and by declaring French law applicable to the case at hand, its intention to be positioned as a leader in the protection of personal data in Europe, in accordance with the European Commission<a href=”#_ftn1″ name=”_ftnref1″>[1]</a>’s strategy to hold the internet players located abroad liable.

This decision can be considered as the first compelling action of a personal data protection authority against a Web giant. It is therefore likely that foreign companies operating data processing in France will soon also face investigations by the CNIL and possible penalties should said companies fail to comply with the obligations provided by French law.

Given that a company’s image will undoubtedly be harmed by those penalties, and in view of the cumulative nature of the fines incurred, the data controllers who believed French law would not apply to their processing should now better think twice before setting up said data processing.

This is all the more true with the entry into force of the European regulation which provides that the regulatory authorities’ administrative fines may be calculated as a percentage of the data controller’s annual worldwide turnover (within a limit of 1,000,000 euros).

Companies’ compliance with EU law, and particularly French law, has now clearly become a priority. &nbsp; <a href=”#_ftnref1″ name=”_ftn1″>[1]</a> Indeed, the future European regulation provides that EU law shall apply to processing of personal data relating to those persons whose domicile is located within the EU when the processing activities are linked to the (i) supply of goods or services, or (ii) observation of their behavior


The decision of the European Court of Justice (CJEU) dated October 6, 2015[1] invalidated the “Safe Harbor” framework which authorized, since 2000[2], the transfer of personal data from within the European Union to companies with “Safe Harbor” certifications located in the United States.

For memory, the United States does not provide for an adequate level of protection and consequently the transfer of personal data to companies located in said country is generally prohibited[3]. However, by way of exception, prior to such decision, European companies could transfer personal data to American providers/data processors only if the latter i) self-certified that they will commit to implement processes ensuring an adequate level of protection or ii) entered into agreements with the European data controller, including “model contract clauses” issued by the European Commission[4].

In its decision dated October 6, 2015, the CJEU underlined that the “Safe Harbor” certification no longer provided a sufficient level of privacy protection, in view of the disclosures of mass surveillance programs of the NSA by Edward Snowden in 2013. The decision being effective immediately, any and all transfer of personal data made on the basis of said certification are consequently illegal and should in theory be terminated or otherwise modified to conform to the decision.

Following this decision, the French Data Protection Authority (CNIL) and its European counterparts (Article 29 Working Party) met on October 15 to prepare a common action plan to permit the creation of a new legal framework. Accordingly, the Article 29 Working Party called on the European institutions and governments to implement a new legal framework enabling the transfer of data between Europe and the United States, before January 31, 2016. Such solutions could be sought during intergovernmental agreement negotiations and the implementation of a new “Safe Harbor” framework could be considered.

The Working Party continues its analysis of the consequences of the CJEU decision on the other means available to transfer data to the United States, particularly regarding the aforementioned “model contract clauses”. The Working Party indicated that, pending the implementation of the new regulations, European companies are still permitted to employ these “model contract clauses” for the transfer of personal data to the United States.

However, the personal data of European companies or individuals which have been transferred to American providers using these “model contract clauses” may still be subject to the intrusion of the NSA to the same extent as when the “Safe Harbor” framework was employed. A court decision or a CNIL recommendation could also invalidate the use of such clauses[5].

Pending the signature of a new intergovernmental agreement or the implementation of new transfer means, what strategy should the companies adopt today?

Given the current context, European companies wishing to transfer their data to the United States should act with caution and accordingly should implement legal and technical solutions to limit the potential risk taken when transferring their personal data. The foregoing essentially involves setting up restrictive contractual clauses with the providers receiving said data in the United States.

Such clauses should notably include:

  • at a minimum, all of the obligations provided in the “model contract clauses”;
  • the following additional obligations for American providers operating a Cloud Computing service:
  • information regarding data processing (compliance with the French Data Protection Act[6], definition of the processing methods in place, obtaining client’s consent should the data processing be entrusted to another data processor, limitation of the data retention period and ensuring that said obligations are included in subcontracting contracts);
  • the implementation of a complaints system and measures to avoid security flaws;
  • the possibility for the client to audit the provider;
  • the destruction of data and its restitution at the end of the services provided or in case of early termination of the contract, in a format chosen by the client;
  • the detailed specification of the provider’s obligations regarding data security (including physical and technical security measures, traceability, continuity of services, level of service, backup) and specification that the latter can only act on instructions from the client;
  • the cooperation of the service provider with the relevant data protection authorities and obligation to provide the client with any and all useful information in order to make the statement concerning data processing to said authorities;
  • the clear and exhaustive indication of the countries hosting the data and guarantee of an adequate protection in said countries.

iii) finally and most importantly, to prevent any potential changes of position by the CNIL, the following specific obligations to ensure the legality of the transfer under any circumstances:

  • the obligation to take all necessary technical and legal measures in order to comply with the developments of the French Data Protection Act and with the CNIL recommendations;
  • in the event of the inability or impossibility to comply with the developments of the French Data Protection Act, the inclusion of an automatic termination clause with the obligation to restitute such data in addition to the removal of such data without additional charge for the client.

Up until now, the recourse to “Safe Harbor” data processors was principally insured by signing standard terms and conditions or boilerplate agreements which European clients were unable to negotiate. The situation of the formerly “Safe Harbor” American providers is unclear and will necessarily force said providers to amend their contracts in order to adapt them to the requirements of their European clients. The decision of the CJEU may have the merit of rebalancing the forces in play between the European data controllers and the American service providers.

[1] CJEU decision dated October 6, 2015, Case C-362-14 Maximillian Schrems v. Data Protection Commissionner

[2] Commission decision dated July 26, 2000

[3] Indeed, under directive 95/46, the transfer of personal data to countries outside the European Union which do not provide an adequate level of protection should be prohibited.

[4] It should be noted that another contractual means to transfer data was provided for companies that are part of a same group (« Binding Corporate Rules »)

[5] In this respect, it should be specified that a German data protection authority expressed its wish to also invalidate the model contract clauses and to authorize data transfer to the United States only subject to changes in its legislations

[6] Act n°78-17 dated January 6, 1978[:]